b'Report No. D-2011-114             September 30, 2011\n\n\n\n\n      Summary of Information Assurance Weaknesses\n        as Reported by Audit Reports Issued From\n         August 1, 2010, Through July 31, 2011\n\x0cAdditional Copies\nTo obtain additional copies of this report, visit the Web site of the Department of Defense\nInspector General at http://www.dodig.mil/audit/reports or contact the Secondary Reports\nDistribution Unit at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\nSuggestions for Audits\nTo suggest or request audits, contact the Office of the Deputy Inspector General for\nAuditing by phone (703) 604-9142 (DSN 664-9142), by fax (703) 604-8932, or by mail:\n\n                      ODIG-AUD (ATTN: Audit Suggestions)\n                      Department of Defense Inspector General\n                      400 Army Navy Drive (Room 801)\n                      Arlington, VA 22202-4704\n\n\n\n\nAcronyms and Abbreviations\nDON                           Department of the Navy\nFISMA                         Federal Information Security Management Act\nIA                            Information Assurance\nOMB                           Office of Management and Budget\nPII                           Personally Identifiable Information\nSSN                           Social Security Number\n\x0c                                  INSPECTOR GENERAL \n\n                                 DEPARTMENT OF DEFENSE \n\n                                   400 ARMY NAVY DRIVE \n\n                              ARLINGTON, VIRGINIA 22202--4704 \n\n\n\n                                                                       September 30, 20 II\n\nMEMORANDUM FOR ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS\n                 AND INFORMATION INTEGRATIONIDOD CHIEF\n                 INFORMATION OFFICER\n               ASSISTANT SECRETARY OF THE AIR FORCE\n                 (FINANCIAL MANAGEMENT AND COMPTROLLER)\n               NAVAL INSPECTOR GENERAL\n               AUDITOR GENERAL, DEPARTMENT OF THE ARMY\n\nSUBJECT: \t Summary of Information Assurance Weaknesses as Reported by Audit\n           Reports Issued From August 1,2010, Through July 31, 2011\n           (Report No. D-2011-114)\n\nWe are providing this summary repOli for your information and use. This report is a\ncompilation of all audit repOlis issued during the given period that contained findings\ndescribing weaknesses in the Depatiment\'s information assurance and information\nsecurity arena. This report contains no recommendations for action, however, it does\nidentify audit repOlis, previously issued, that contain open recommendations. The report\nconcludes that proper information assurance measures are essential to protect and defend\ninformation and information systems by ensuring their availability, integrity,\nauthentication, confidentiality, and non-repudiation.\n\nThis summary repoti serves as a reference document to support the Depatiment of\nDefense Office ofInspector General\'s response to the requirements of Public Law\n107-347, Title III, "Federal Information Security Management Act (FISMA)," section\n3545, December 17,2002. We did not issue a draft report and no written response is\nrequired.\n\nWe appreciate the courtesies extended to the staff. Please direct questions to me at\n(703) 604-8866 (DSN 664-8866).\n\n\n\n                                            {1Jf-~\n                                             Alice F. Carey\n                                             Assistant Inspector General\n                                             Readiness, Operations, and Support\n\x0c\x0cReport No. D-2011-114 (Project No. D2011-D000LB-0149.000)                         September 30, 2011\n\t\n\n\n              Results in Brief: Summary of Information\n              Assurance Weaknesses as Reported by\n              Audit Reports Issued From August 1, 2010,\n              Through July 31, 2011\n                                                        The information security weaknesses in DoD\nWhat We Did                                             continued to provide unauthorized personnel the\nWe researched, obtained, and summarized all             opportunity to modify, steal, inappropriately\naudit reports, issued between August 1, 2010,           disclose, and destroy sensitive DoD data.\nand July 31, 2011, that contained findings on           Persistent weaknesses in information security\ninformation assurance weaknesses in DoD. The            policies and practices continued to threaten the\nreports were issued by the Department of                availability, integrity, authentication,\nDefense Office of Inspector General                     confidentiality, and non-repudiation of critical\n(DoD OIG), Army Audit Agency, Naval Audit               information and information systems used to\nService, Air Force Audit Agency, and the                support operations, assets, and personnel.\nGovernment Accountability Office. This\nsummary report is for information purposes only         What We Recommend\nand supports the DoD OIG\xe2\x80\x99s response to the              Recommendations are made in the individual\nrequirements of Public Law 107-347, Title III,          audit reports that are identified in this Summary\n\xe2\x80\x9cFederal Information Security Management Act            Report. Therefore, this report contains no new\n(FISMA),\xe2\x80\x9d section 3545, December 17, 2002.              recommendations and is provided for\n                                                        information purposes only.\nWe included five additional information\nassurance categories in this year\xe2\x80\x99s report, as\nidentified by the FY 2011 Inspector General             Management Comments\nFederal Information Security Management Act             We did not issue a draft report because this\nreporting requirements. This report is the              report consolidates audit findings from audit\n13th information assurance summary report               reports that were published in the last year. No\nissued by the DoD OIG since January 1999.               written response to this report is required.\n\nWhat We Found\nBetween August 1, 2010, and July 31, 2011, the\nDoD OIG, Army Audit Agency, Naval Audit\nService, Air Force Audit Agency, and\nGovernment Accountability Office issued\n42 reports addressing a wide range of\ninformation assurance weaknesses that persist\nthroughout DoD systems and networks. The top\nfour weaknesses identified were security\npolicies and procedures/management oversight;\nsecurity awareness, training, and education;\naccess controls; and Privacy Act information.\n\n\n\n\n                                                  i\n\t\n\x0c\x0cTable of Contents\n\nIntroduction\t\t                                                                1\n\n\n       Objectives                                                             1\n\n       Background                                                             1\n\n\nResults. Information Assurance Weaknesses Continue to Persist\n\t\nThroughout DoD                                                                4\n\t\n\n       Reports on Information Assurance Weaknesses                            4\n\t\n       Types of Information Assurance Weaknesses                              5\n\n       Persistent Information Assurance Weaknesses Reported in the \n\n          Past 12 Years                                                       8\n\n       Unresolved Recommendations                                             9\n\n       Summary                                                                9\n\n\nAppendices\n\n       A. \tScope and Methodology                                             10 \n\n       B. \tPrior Coverage                                                    11 \n\n       C. \tMatrix of Information Assurance Weaknesses Reported From\n\n           August 1, 2010, Through July 31, 2011                             13 \n\n       D. \tAudit Reports Issued From August 1, 2010, Through July 31, 2011   17 \n\n       E. \tMatrix of Reports that Identified Key Information Assurance\n\t\n           Weaknesses Reported From January 1, 1995, Through July 31, 2010   21 \n\n       F. A\n          \t udit Reports From Prior Information Assurance Summary Reports\n\n          With Unresolved Recommendations                                    22 \n\n\nGlossary \t                                                                   26\n\t\n\x0c\x0cIntroduction\nObjectives\nThe purpose of this report is to provide a reference document that identifies all audit\nreports that contained findings outlining information assurance weaknesses in DoD. The\noverall objective was to summarize the information assurance (IA) weaknesses identified\nin reports and testimonies issued by the DoD audit community and the Government\nAccountability Office (GAO) between August 1, 2010, and July 31, 2011. This summary\nreport supports the Department of Defense Office of Inspector General\xe2\x80\x99s (DoD OIG)\nresponse to the requirements of Public Law 107-347, Title III, \xe2\x80\x9cFederal Information\nSecurity Management Act (FISMA),\xe2\x80\x9d section 3545, December 17, 2002. See\nAppendix A for a discussion of the scope and methodology and Appendix B for prior\ncoverage related to the objective.\n\nBackground\nThis report is the 13th annual IA summary the DoD OIG has issued since January 1999.\nCollectively, the 12 previous reports summarized 535 reports and testimonies on IA\nweaknesses found in DoD. Civil service and uniformed officers who develop, operate, or\nmanage DoD information technology resources should read this report to be aware of\npotential IA challenges in both their own and shared DoD information technology\nenvironments.\n\nAdditional Information Assurance Categories\nIn 2010, the Office of Management and Budget (OMB) mandated the Department of\nHomeland Security provide guidance and operational oversight for FISMA reporting.\nSpecifically, the Department of Homeland Security is responsible for the development\nand issuance of FISMA security metrics for Federal agencies. The Department of\nHomeland Security recently issued the FY 2011 Inspector General FISMA Reporting\nrequirements. To remain consistent with the updated requirements, this year\xe2\x80\x99s IA\nsummary report includes five additional IA categories. The new IA categories are remote\naccess management, identity and access management, continuous monitoring\nmanagement, contractor systems, and security capital planning. See the glossary for\ndefinitions of these categories.\n\nFederal Information Security Management Act of 2002\nFederal agencies are required to annually submit a FISMA assessment on questions\nrelated to information security management. The annual reports are submitted\nelectronically in CyberScope, an automated, streamlined platform used for secure FISMA\nreporting for the collection of agency cyber security information.\n\nFISMA provides a comprehensive framework for ensuring the effectiveness of\ninformation security controls over information resources that support Federal operations\nand assets. FISMA requires that each agency develop, document, and implement an\nagency-wide information security program to provide security for the information and\n\n\n                                            1\n\t\n\x0cinformation systems that support the operations and assets of the agency. Each agency is\nto comply with FISMA and related policies, procedures, standards, and guidelines,\nincluding the information security standards promulgated under section 11331, title 40,\nUnited States Code (40 U.S.C. 11331), \xe2\x80\x9cResponsibilities for Federal Information Systems\nStandards.\xe2\x80\x9d Under 40 U.S.C. 11331, standards and guidelines for Federal information\nsystems are to be based on standards and guidelines developed by the National Institute\nof Standards and Technology. FISMA requires that each agency with an Inspector\nGeneral appointed under the Inspector General Act of 1978, as amended, perform an\nindependent evaluation of the information security program and practices of that agency\nto determine effectiveness. The agencies\xe2\x80\x99 Inspector General, Chief Information Officer,\nand Privacy Office all submit a single FISMA assessment report to OMB.\n\nNational Institute of Standards and Technology\nTo meet its statutory responsibilities under FISMA, the National Institute of Standards\nand Technology, part of the U.S. Department of Commerce, developed a series of\nstandards and guidelines to provide information security for operations and assets of\nFederal agencies. Specifically, the Computer Security Division of the Information\nTechnology Laboratory developed computer security prototypes, tests, standards, and\nprocedures designed to protect sensitive information from unauthorized access or\nmodification. Focus areas include certification and accreditation, cryptographic\ntechnology and applications, advanced authentication, public key infrastructure,\ninternetworking security, criteria and assurance, and security management and support.\nThe standards and guidelines present the results of National Institute of Standards and\nTechnology studies, investigations, and research on information technology security.\n\nPrivacy Act of 1974 and E-Government Act of 2002\nOn June 13, 2005, OMB required Federal agencies to begin including information on\ntheir privacy programs. At the same time, OMB also discontinued agencies\xe2\x80\x99 annual\nprivacy-related submissions under Public Law 107-347, \xe2\x80\x9cE-Government Act of 2002,\xe2\x80\x9d\nDecember 17, 2002. OMB\xe2\x80\x99s privacy questions relate in part to the Privacy Act of 1974;\nsection 552a, title 5 United States Code; and the E-Government Act of 2002. The intent\nof the Privacy Act is to require Federal agencies to protect individuals against\nunwarranted invasions of their privacy by limiting the collection, maintenance, use, and\ndisclosure of personal information about them. The E-Government Act requires that\nFederal agencies establish information practices that restrict disclosure of personally\nidentifiable records and grants individuals increased access to agency records maintained\non them. The E-Government Act of 2002 additionally requires that Federal agencies\nprotect the collection of personal information in Federal Government information\nsystems by conducting privacy impact assessments. A privacy impact assessment is an\nanalysis of how personal information is collected, stored, shared, and managed in Federal\ninformation technology systems.\n\n\n\n\n                                            2\n\t\n\x0cDoD Information Assurance Guidance\nDoD IA guidance comprises the following documents.\n\n      \xe2\x80\xa2\t DoD Directive 5400.11, \xe2\x80\x9cDoD Privacy Program,\xe2\x80\x9d May 8, 2007, establishes\n         policy for the respect and protection of an individual\xe2\x80\x99s personal information\n         and fundamental right to privacy.\n      \xe2\x80\xa2\t DoD Instruction 5400.16, \xe2\x80\x9cDoD Privacy Impact Assessment (PIA)\n         Guidance,\xe2\x80\x9d February 12, 2009, establishes policy and assigns responsibilities\n         for completion and approval of Privacy Impact Assessments.\n      \xe2\x80\xa2\t DoD Directive 8500.01E, \xe2\x80\x9cInformation Assurance (IA),\xe2\x80\x9d October 24, 2002,\n         Certified Current as of April 23, 2007, establishes policy and assigns\n         responsibility to achieve IA throughout DoD.\n      \xe2\x80\xa2\t DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d\n         February 6, 2003, implements the policy, assigns responsibilities, and\n         prescribes procedures for applying integrated layered protection of DoD\n         information systems and networks as DoD Directive 8500.01E outlines.\n      \xe2\x80\xa2\t DoD Instruction 8510.01, \xe2\x80\x9cDoD Information Assurance Certification and\n         Accreditation Process (DIACAP),\xe2\x80\x9d November 28, 2007, establishes a\n         certification and accreditation process.\n      \xe2\x80\xa2\t DoD Directive 8570.01, \xe2\x80\x9cInformation Assurance Training, Certification, and\n         Workforce Management,\xe2\x80\x9d August 15, 2004, Certified Current as of\n         April 23, 2007, establishes policy and assigns responsibility for DoD IA\n         training, certification, and workforce management.\n      \xe2\x80\xa2\t DoD Policy, \xe2\x80\x9cWeb Site Administration Policies and Procedures,\xe2\x80\x9d\n         November 25, 1998, latest correction from January 11, 2002, delineates the\n         policy and assigns responsibility related to establishing, operating, and\n         maintaining unclassified Web sites and other related services.\n      \xe2\x80\xa2\t Deputy Secretary of Defense Memorandum, \xe2\x80\x9cDepartment of Defense (DoD)\n         Web Site Security Policy Compliance,\xe2\x80\x9d September 25, 2008, requires\n         Components to ensure that they have processes in place that ensure all\n         information posted to publicly accessible Web sites is reviewed and approved\n         prior to posting.\n      \xe2\x80\xa2\t Deputy Secretary of Defense Memorandum, \xe2\x80\x9cPolicy for Department of\n         Defense (DoD) Interactive Internet Activities,\xe2\x80\x9d June 8, 2007 provides\n         authority and guidance for the use of interactive internet activities, systems\n         accessible via the internet which allows for two-way communications.\n      \xe2\x80\xa2\t Deputy Secretary of Defense Memorandum, \xe2\x80\x9cWeb Site Administration,\xe2\x80\x9d\n         December 7, 1998, provides policy, assigns responsibility, and describes the\n         procedures for establishing, operating, and maintaining DoD unclassified Web\n         sites. To maximize the availability of timely and accurate information to the\n         public, as well as maintaining a secure framework, DoD Components have the\n         responsibility to ensure sound information assurance practices are in place and\n         operating for Web sites.\n\n\n\n\n                                          3\n\t\n\x0cResults. Information Assurance Weaknesses\nContinue to Persist Throughout DoD\nBetween August 1, 2010, and July 31, 2011, the DoD audit community and GAO issued\n42 reports addressing a wide range of IA weaknesses that persist throughout DoD\nsystems and networks. This report summarizes the IA weaknesses listed in the reports.\nThe top four weaknesses identified were security policies and procedures/management\noversight; security awareness, training, and education; access controls; and Privacy Act\ninformation. The information security weaknesses in DoD continued to provide\nunauthorized personnel the opportunity to modify, steal, inappropriately disclose, and\ndestroy sensitive DoD data. Persistent weaknesses in information security policies and\npractices identified in this report continued to threaten the availability, integrity, proper\nauthentication, confidentiality, and non-repudiation of critical information and\ninformation systems used to support operations, assets, and personnel.\n\nReports on Information Assurance Weaknesses\nThe weaknesses identified in reports by the DoD audit community and GAO were\ndefined by guidance described in FISMA, OMB memoranda, National Institute of\nStandards and Technology standards and guidelines, and DoD guidelines. On\nJune 1, 2011, for the first time, the Department of Homeland Security issued the annual\nFISMA Reporting requirements. The following table shows the number of information\nassurance weaknesses that the 42 reports identified. See the glossary for specialized\nterms.\n\n\n\n\n                                              4\n\t\n\x0c                 Table. Information Assurance Weaknesses Reported From\n\t\n                           August 1, 2010, Through July 31, 2011\n\t\n                                                       DoD          Military\n                 IA Areas                    GAO                                       Total\n                                                       OIG        Departments\nAccess Controls                                0         3             9                 12\nCertification and Accreditation                1         3             1                  5\nConfiguration Management                       1         3             1                  5\nContingency Plans                              0         0             1                  1\nContinuity of Operations Plans                0          2             0                 2\nContinuous Monitoring Management              0          3             1                 4\nContractor Systems                            0          0             0                 0\nCyber Security                                0          0             1                 1\nIdentity and Access Management                1          4             2                 7\nInformation Systems Inventory\n                                              1          0             1                  2\nReporting\nIncident Handling                             0          1             1                  2\nInteroperability                              1          0             0                  1\nPersonnel Security                            1          0             1                  2\nPhysical Security                             0          1             2                  3\nPlans of Action and Milestones                6          2             1                  9\nPrivacy Act Information                       0          1             9                 10\nRemote Access Management                      0          0             0                  0\nRisk, Threat, and Vulnerability\n                                              2          2             2                  6\nAssessment\nSecurity Capital Planning                     2          0             0                  2\nSecurity Awareness, Training, and\n                                              1          1            11                 13\nEducation\nSecurity Policies &\n                                              8          4            26                 38\nProcedures/Management Oversight\n\n Types of Information Assurance Weaknesses\n Reports issued during the reporting period most frequently cited weaknesses in the IA\n areas of security policies and procedures/management oversight; security awareness,\n training, and education; access controls; and Privacy Act information. See Appendix C\n for a matrix of reports listed by their specific IA weaknesses and Appendix D for a list of\n reports summarized in this report.\n\n Security Policies and Procedures/Management Oversight\n The category of security policies and procedures/management oversight entails an\n organization\xe2\x80\x99s policies for operation and the procedures necessary to implement the\n\n\n                                              5\n\t\n\x0cpolicies. The DoD audit community and GAO reported weaknesses related to security\npolicies and procedures/management oversight in 38 reports. For example, Air Force\nAudit Agency Report No. F2010-0008-FC4000, \xe2\x80\x9cTemporary Duty Travel Management,\xe2\x80\x9d\nSeptember 13, 2010, found that travel management personnel did not properly segregate\nduties among accountable officials and allowed personnel multiple levels of access. In\naddition, travel management personnel did not always properly appoint or train\naccountable officials. Further, travel\nmanagement personnel improperly granted              As a result, accountable officials\ncontractor personnel approval authority in            with multiple permission levels\nthe Defense Travel System. These                         inappropriately approved\nconditions existed because Air Force                     4,775 vouchers, valued at\nguidance did not include a requirement to                    over $6 million\xe2\x80\xa6\nperiodically review accountable official\npermission levels to ensure proper segregation of duties, did not adequately address\naccountable official management, and did not adequately address the Defense Travel\nSystem rights and permission levels for contractor personnel. As a result, accountable\nofficials with multiple permission levels inappropriately approved 4,775 vouchers, valued\nat over $6 million, accountable officials did not receive required training necessary to\nhelp ensure proper management of Air Force travel funds, and contractor personnel had\npermission to approve and manage Air Force funds. The report recommended that the\nAir Force Defense Travel System Financial Management Guide should define proper\nsegregation of duties and include examples of jobs and permission levels that must be\nsegregated; Air Force Lead Defense Travel Agents should verify all accountable officials\nhave training certificates and signed DD Forms 577 on file; and revise the Air Force\nDefense Travel System Financial Management Guide to prohibit assigning contractor\npersonnel to accountable-level positions. According to the report, management officials\nagreed with the audit issues in this report, and actions taken were responsive.\n\nSecurity Awareness, Training, and Education\nSecurity awareness, training, and education are defined as:\n       \xe2\x80\xa2\t Awareness is a learning process that sets the stage for training by changing\n           individual and organization attitudes to realize the importance of security and\n           the adverse consequences of its failure.\n       \xe2\x80\xa2\t Training is teaching individuals the knowledge and skills that will enable\n           them to perform their jobs more effectively.\n       \xe2\x80\xa2\t Education focuses on developing the ability and vision to perform complex,\n           multidisciplinary activities and the skills needed to further the information\n           technology security profession. Education activities include research and\n           development to keep pace with changing technologies.\n\nThe DoD audit community and GAO reported weaknesses related to security awareness,\ntraining, and education in 13 reports. For example, DoD Inspector General (IG) Report\nNo. D-2011-020, \xe2\x80\x9cDoD Controls Over Information Placed on Publicly Accessible Web\nSites Require Better Execution,\xe2\x80\x9d November 29, 2010, found that DoD organizations did\nnot ensure all DoD Web site administrators received the required Web operations security\ntraining. Web operations security training is important to ensure the proper control and\n\n\n                                             6\n\t\n\x0cproper posting of sensitive information to DoD public Web sites. Of 470 Web site\nadministrators reviewed, 452 had not received required operations security training. This\n                                     occurred because DOD organizations did not execute\n          Of 470 Web site\n                                     enforcement actions for noncompliance with Web\n     administrators reviewed,\n                                     site policies and procedures, and Components did not\n  452 had not received required\n                                     fully disseminate required policies and procedures\n   operations security training.\n                                     governing publicly accessible Web sites. As a result,\nDoD is at a higher risk of posting sensitive information to DoD public Web sites. The\nreport recommended the Assistant Secretary of Defense for Networks and Information\nIntegration/DoD Chief Information Officer develop and issue a DoD Instruction that\nrequires heads of DoD Components to annually assess and document DoD Internet\nservices and use of Internet-based capabilities. This recommendation will allow for\ncompliance with applicable policies and procedures, to include that all Web site\nadministrators have received the proper Web operations security training. According to\nthe report, management agreed with the recommendation, stating that the annual policy\ncompliance assessment and corrective action will be mandated in the impending DoD\nInstruction 8430.aa.\n\nAccess Controls\nAccess controls limit information system resources to authorized users, programs,\nprocesses, or other systems. The DoD audit community and GAO reported weaknesses\nrelated to access controls in 12 reports. For example, Air Force Audit Agency Report\nNo. F2011-0002-FB2000, \xe2\x80\x9cEnterprise Environmental Safety and Occupational Health \xe2\x80\x93\nManagement Information System Application Controls,\xe2\x80\x9d February 15, 2011, found that\nEnterprise Environmental Safety and Occupational Health \xe2\x80\x93 Management Information\nSystem program personnel need to strengthen implementation of general controls.\nProgram and functional personnel did not maintain effective control over system access.\nSpecifically, Enterprise Environmental Safety and Occupational Health \xe2\x80\x93 Management\nInformation System points of contact incorrectly established user accounts without the\nrequired approvals, did not deactivate all invalid user accounts, and provided some users\nwith excessive and unauthorized account privileges. This condition occurred because\nprogram and functional personnel bulk loaded user accounts when migrating from the\nformer Air Force Environmental Management Information System to Enterprise\nEnvironmental Safety and Occupational Health \xe2\x80\x93 Management Information System\nwithout verifying user access requirements. As a result, the program could provide\nunauthorized users access to enter improper transactions into the system. The report\nrecommended Enterprise Environmental Safety and Occupational Health \xe2\x80\x93 Management\nInformation System points of contact conduct a one-time reconciliation and correction of\nall current accounts to user access forms and duty requirements. According to the report,\nmanagement concurred and has taken corrective actions.\n\nPrivacy Act Information\nPrivacy Act information is personal information about an individual that links, relates, or\nis unique to or identifies or describes him or her, such as Social Security number (SSN);\nage; military rank; civilian grade; marital status; race; salary; home or office phone\nnumber; and other demographic, biometric, personal, medical, and financial information.\n\n\n                                             7\n\t\n\x0cThis information is also referred to as personally identifiable information (PII), or\ninformation which can be used to distinguish or trace an individual\xe2\x80\x99s identity. The DoD\naudit community and GAO reported weaknesses related to Privacy Act information in\n10 reports. For example, Naval Audit Report No. N2011-0020, \xe2\x80\x9cUnnecessary Collection\nof Personally Identifiable Information in the Department of the Navy,\xe2\x80\x9d January 28, 2011,\nfound that the Department of the Navy (DON) was unable to ensure only necessary PII\nwas being collected. Further, SSNs were printed or displayed on systems and\nforms without being masked or condensed, as required. These conditions occurred\nbecause:\n\n   \xe2\x80\xa2\t There was no overall DON guidance to reduce the collection of SSNs;\n   \xe2\x80\xa2\t The DoD Information Technology Portfolio Registry-DON database was\n\t\n      incomplete;\n\t\n   \xe2\x80\xa2\t DON could not identify all DON forms to reduce SSN collection; and\n   \xe2\x80\xa2\t There was no DON requirement limiting exposure of SSNs.\n\nAs a result, DON does not have assurance of the proper collection and use of SSNs and\nPII across the Department and puts the DON at a higher risk of identity theft. The report\nrecommended the DON Chief Information Officer issue guidance to reduce the collection\nand limit the exposure of SSNs and other PII. According to the report, management\nagreed with the recommendations and is taking corrective action.\n\nPersistent Information Assurance Weaknesses Reported\nin the Past 12 Years\nThe reports summarized in this report show that there continued to be a wide range of IA\nweaknesses throughout DoD. The DoD audit community and GAO have issued\n535 audit reports and testimonies over the last 12 years (see Appendix E for details),\nwhich have frequently reported similar, if not identical, IA weaknesses. Security policies\nand procedures/management oversight issues were identified in 376 reports; inadequate\naccess controls were identified in 251 reports; concerns related to risk, threat, and\nvulnerability assessments were identified in 151 reports; certification and accreditation\nwere issues identified in 137 reports; security awareness, training, and education\nweaknesses were identified in 124 reports; and inadequate contingency plans were\nidentified in 122 reports (see Appendix E). The figure below illustrates the number of\nreports that identified the above cited IA weaknesses.\n\n\n\n\n                                            8\n\t\n\x0c           Figure. Reports Identifying Information Assurance Weaknesses\n\t\n                              From 1999 Through 2010\n\t\n\n\n\n\nUnresolved Recommendations\nSince August 1, 2010, management had taken action to resolve IA-related\nrecommendations made in 49 of the previous reports. There were still 45 reports with\nunresolved recommendations that required management action. Prompt action to correct\nthe outstanding IA weaknesses is necessary to mitigate ongoing vulnerabilities in the\nDoD IA program. See Appendix F for a listing of the 45 reports with unresolved\nrecommendations relating to IA weaknesses.\n\nSummary\nMany of the IA weaknesses reported occurred because management of security programs\nwas inadequate and security policies and procedures were not in place. Without effective\nmanagement oversight, DoD cannot be assured that systems are accurately reported and\nmaintained, information systems contain reliable data, and personnel are properly trained\nin security policies and procedures. Effective management oversight will remedy\npersistent IA weaknesses, thereby increasing assurance that DoD information systems\nmaintain an appropriate level of confidentiality, integrity, authentication, and availability.\n\n\n\n\n                                              9\n\t\n\x0cAppendix A. Scope and Methodology\nThis report summarizes the DoD IA weaknesses identified in 42 reports that GAO and\nthe DoD audit community issued from August 1, 2010, through July 31, 2011. To\nprepare this summary, the DoD OIG audit team reviewed the Web sites of GAO and each\nDoD Component audit organization and requested reports discussing IA weaknesses from\neach organization. The DoD OIG audit team also reviewed prior IA summary reports\nand, with the assistance of the DoD audit community and GAO follow-up organizations,\nsummarized reports with unresolved recommendations on IA weaknesses.\n\nThis summary report does not make recommendations because recommendations have\nalready been made in the summarized reports. We did not follow generally accepted\ngovernment auditing standards in conducting this project because it is a summary project.\nAlso, we did not include independent tests of management controls or validate the\ninformation or results reported in the summarized reports. This summary report supports\nthe DoD OIG response to the requirements of Public Law 107-347, Title III, \xe2\x80\x9cFederal\nInformation Security Management Act (FISMA),\xe2\x80\x9d section 3545, December 17, 2002.\nWe conducted this summary work from February 2011 through September 2011.\n\nUse of Computer-Processed Data\nWe did not use computer-processed data when compiling information for this summary\nreport.\n\n\n\n\n                                           10\n\t\n\x0cAppendix B. Prior Coverage\nDuring the last 12 years, DoD OIG has issued 12 summary reports detailing IA\nweaknesses. Unrestricted DoD IG reports can be accessed at\nhttp://www.dodig.mil/audit/reports. The remainder of the reports are For Official Use\nOnly and can be obtained by contacting the Freedom of Information Act Requester\nService Center by telephone, (703) 604-9775 (DSN 664-9775), or fax (703) 602-0294.\n\nDoD IG Report No. D-2010-090, \xe2\x80\x9cSummary of Information Assurance Weaknesses\n\t\nIdentified in Audit Reports Issued From August 1, 2009, Through July 31, 2010,\xe2\x80\x9d\n\t\nSeptember 30, 2010 (FOUO)\n\t\n\nDoD IG Report No. D-2009-110, \xe2\x80\x9cSummary of Information Assurance Weaknesses\n\t\nIdentified in Audit Reports Issued From August 1, 2008, Through July 31, 2009,\xe2\x80\x9d\n\t\nSeptember 28, 2009 (FOUO)\n\t\n\nDoD IG Report No. D-2008-125, \xe2\x80\x9cSummary of Information Assurance Weaknesses\n\t\nFound in Audit Reports Issued From August 1, 2007, Through July 31, 2008,\xe2\x80\x9d\n\t\nSeptember 2, 2008\n\t\n\nDoD IG Report No. D-2007-123, \xe2\x80\x9cSummary of Information Assurance Weaknesses\n\t\nFound in Audit Reports Issued From August 1, 2006, Through July 31, 2007,\xe2\x80\x9d\n\t\nSeptember 12, 2007\n\t\n\nDoD IG Report No. D-2006-110, \xe2\x80\x9cSummary of Information Assurance Weaknesses\n\t\nFound in Audit Reports Issued From August 1, 2005, Through July 31, 2006,\xe2\x80\x9d\n\t\nSeptember 14, 2006\n\t\n\nDoD IG Report No. D-2005-110, \xe2\x80\x9cSummary of Information Security Weaknesses\n\t\nReported by Major Oversight Organizations From August 1, 2004, Through \n\nJuly 31, 2005,\xe2\x80\x9d September 23, 2005 (FOUO)\n\t\n\nDoD IG Report No. D-2004-116, \xe2\x80\x9cInformation Security Weaknesses Reported by Major\n\t\nOversight Organizations From August 1, 2003, Through July 31, 2004,\xe2\x80\x9d\n\t\nSeptember 23, 2004 (FOUO)\n\t\n\nDoD IG Report No. D-2004-038, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 A Summary of\n\t\nResults Reported From August 1, 2002, Through July 31, 2003,\xe2\x80\x9d December 22, 2003 \n\n(FOUO)\n\nDoD IG Report No. D-2003-024, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 An Evaluation of\n\t\nAudit Results Reported From August 23, 2001, Through July 31, 2002,\xe2\x80\x9d\n\t\nNovember 21, 2002 (FOUO)\n\t\n\n\n\n\n                                          11\n\t\n\x0cDoD IG Report No. D-2001-182, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 A Summary of\nResults Reported April 1, 2000, Through August 22, 2001,\xe2\x80\x9d September 19, 2001\n(FOUO)\n\nDoD IG Report No. D-2000-124, \xe2\x80\x9cInformation Assurance Challenges \xe2\x80\x93 A Summary of\nAudit Results Reported December 1, 1998, Through March 31, 2000,\xe2\x80\x9d May 15, 2000\n(FOUO)\n\nDoD IG Report No. 99-069, \xe2\x80\x9cSummary of Audit Results \xe2\x80\x93 DoD Information Assurance\nChallenges,\xe2\x80\x9d January 22, 1999\n\n\n\n\n                                       12\n\t\n\x0c                                                                                                                                                         Office\n                                                                                                                                                                        Agency\n\n\n\n\n                                  GAO-11-75\n                                                                                                                                                                       Report No.\n\n\n\n\n                                                                                     GAO-11-276\n                                                                                                  GAO-11-265\n                                                                                                               GAO-11-148\n                                                                                                                            GAO-10-916\n\n\n\n\n                                              GAO-11-684\n                                                                                                                                         GAO-10-636\n\n\n\n\n                     GAO-11-565\n                                                           GAO-11-621\n                                                                        GAO-11-421\n                                                                                                                                                       Government\n                                                                                                                                                      Accountability\n\n\n\n\n       GAO-11-566R\n                                                                                                                                                                         Access Controls\n\n\n\n\n                                                                                                                            X\n                                                                                                                                                                         Certification and Accreditation\n\n\n\n\n                                                           X\n                                                                                                                                                                         Configuration Management\n\n                                                                                                                                                                         Contingency Plans\n\n                                                                                                                                                                         Continuity of Operations Plans\n\n                                                                                                                                                                         Continuous Monitoring Management\n\n                                                                                                                                                                         Contractor Systems\n\n                                                                                                                                                                         Cyber Security\n\n\n\n\n                                                                                                  X\n                                                                                                                                                                         Identity and Access Management\n\n\n\n\n                     X\n\n\n\n\n13\n\t\n                                                                                                                                                                         Information Systems Inventory Reporting\n\n                                                                                                                                                                         Incident Handling\n\n\n\n\n                                                                                     X\n                                                                                                                                                                         Interoperability\n\n\n\n\n                                                                        X\n                                                                                                                                                                         Personnel Security\n\n                                                                                                                                                                         Physical Security\n                                                                                                                                                                                                                         Appendix C. Matrix of Information\n\n\n\n\n                                                                                                               X\n                                                                                                                            X\n\n\n\n\n       X\n                     X\n                                  X\n                                              X\n                                                                                                                                                                         Plans of Actions and Milestones\n                                                                                                                                                                                                                         August 1, 2010, Through July 31, 2011\n\n\n\n\n                                                                                                                                                                         Privacy Act Information\n                                                                                                                                                                                                                         Assurance Weaknesses Reported From\n\n\n\n\n                                                                                                                                                                         Remote Access Management\n\n                                                                                                               X\n\n\n\n\n                                                           X\n                                                                                                                                                                         Risk, Threat, and Vulnerability Assessment\n\n\n\n\n                                  X\n                                              X\n                                                                                                                                                                         Security Capital Planning\n\n\n\n\n                                                                        X\n                                                                                                                                                                         Security Awareness, Training, Education\n\n                                                                                                                                                                         Security Policies and Procedures / Management\n                                                                                                  X\n                                                                                                                            X\n\n\n\n\n       X\n                                  X\n                                              X\n                                                           X\n                                                                                     X\n                                                                                                                                         X\n\n\n\n\n                                                                                                                                                                         Oversight\n\x0c                                                                                  (FOUO)\n                                                                                               (FOUO)\n                                                                                                            (FOUO)\n                                                                                                                                      (FOUO)\n\n\n\n\n                  A-2011-\n\n       A-2011-\n                             A-2011-\n                                        A-2011-\n                                                   A-2010-\n                                                              A-2010-\n\n\n                                                   0212-FFI\n                                                              0162-FFI\n\n\n\n\n                  0143-IET\n\n       0150-IET\n                             0147-IET\n                                        0100-IET\n                                                                                                                                                     DoD\n\n\n\n\n                                                                         Audit\n                                                                         Army\n                                                                                                                                                                Agency\n\n\n\n\n                                                                         Agency\n                                                                                                                                                    General\n\n\n\n\n                                                                                  D-2011-089\n                                                                                               D-2011-079\n                                                                                                            D-2011-064\n                                                                                                                         D-2011-020\n                                                                                                                                      D-2010-074\n                                                                                                                                                   Inspector\n                                                                                                                                                               Report No.\n\n\n\n\n                                                                                                                                        X\n\n\n\n\n                                                                                    X\n                                                                                                 X\n\n\n\n\n                                         X\n                                                    X\n                                                               X\n                                                                                                                                                                 Access Controls\n\n\n\n\n                                                                                    X\n                                                                                                              X\n                                                                                                                                        X\n                                                                                                                                                                 Certification and Accreditation\n\n\n\n\n                                                                                                 X\n\n                                                                                    X\n                                                                                                                                        X\n                                                                                                                                                                 Configuration Management\n\n                                                                                                                                                                 Contingency Plans\n\n\n\n\n                                                                                                              X\n                                                                                                                                        X\n                                                                                                                                                                 Continuity of Operations Plans\n\n\n\n\n                                                                                                 X\n\n                                                                                    X\n                                                                                                                                        X\n                                                                                                                                                                 Continuous Monitoring Management\n\n                                                                                                                                                                 Contractor Systems\n\n                                                                                                                                                                 Cyber Security\n\n\n\n\n                                                                                                 X\n\n\n\n\n                                                               X\n                                                                                    X\n                                                                                                              X\n                                                                                                                                        X\n                                                                                                                                                                 Identity and Access Management\n\n\n\n\n14\n\t\n                                                                                                                                                                 Information Systems Inventory Reporting\n\n\n\n\n                                                                                                              X\n                                                                                                                                                                 Incident Handling\n\n                                                                                                                                                                 Interoperability\n\n                                                                                                                                                                 Personnel Security\n                                                                                                                                        X\n\n                                                                                                                                                                 Physical Security\n\n\n\n\n                   X\n                                                                                                                         X\n\n                                                                                                              X                                                  Plans of Actions and Milestones\n\n\n\n\n        X\n                                                                                                                         X\n\n\n\n                                                                                                                                                                 Privacy Act Information\n\n                                                                                                                                                                 Remote Access Management\n                                                                                                              X\n\n\n\n\n                                                                                    X\n\n                                                                                                                                                                 Risk, Threat, and Vulnerability Assessment\n\n                                                                                                                                                                 Security Capital Planning\n\n\n\n\n        X\n                              X\n                                                                                                                         X\n\n\n\n\n                                                                                                                                                                 Security Awareness, Training, Education\n\n                                                                                                                                                                 Security Policies and Procedures / Management\n\n\n\n                                         X\n                                                                                                              X\n\n\n\n\n        X\n                   X\n                              X\n                                                    X\n                                                               X\n                                                                                    X\n                                                                                                                         X\n                                                                                                                                        X\n\n\n\n\n                                                                                                                                                                 Oversight\n\x0c       (FOUO)\n                    (FOUO)\n                                 (FOUO)\n                                              (FOUO)\n                                                           (FOUO)\n                                                                        (FOUO)\n                                                                                     (FOUO)\n                                                                                                  (FOUO)\n                                                                                                               (FOUO)\n                                                                                                                            (FOUO)\n                                                                                                                                         (FOUO)\n                                                                                                                                                       Audit\n                                                                                                                                                       Naval\n\n                                                                                                                                                      Service\n                                                                                                                                                                 Agency\n\n\n\n\n       N2011-0046\n                    N2011-0041\n                                 N2011-0040\n                                              N2011-0038\n                                                           N2011-0028\n                                                                        N2011-0025\n                                                                                     N2011-0020\n                                                                                                  N2011-0017\n                                                                                                               N2011-0001\n                                                                                                                            N2010-0052\n                                                                                                                                         N2010-0046\n                                                                                                                                                                Report No.\n\n\n\n\n                                                                                                                 X\n                                                                                                                                                                  Access Controls\n\n                                                                                                                                                                  Certification and Accreditation\n\n                                                                                                                                                                  Configuration Management\n\n                                                                                                                                                                  Contingency Plans\n\n                                                                                                                                                                  Continuity of Operations Plans\n\n                                                                                                                                                                  Continuous Monitoring Management\n\n                                                                                                                                                                  Contractor Systems\n\n                                                                                                                                                                  Cyber Security\n\n                                                                                                                                                                  Identity and Access Management\n\n\n\n\n15\n\t\n                                                                                                                                                                  Information Systems Inventory Reporting\n\n                                                                                                                                                                  Incident Handling\n\n                                                                                                                                                                  Interoperability\n\n                                                                                                                                                                  Personnel Security\n\n\n\n\n                                   X\n                                                                                                                              X\n                                                                                                                                                                  Physical Security\n\n                                                                                                                                                                  Plans of Actions and Milestones\n\n\n\n\n         X\n                      X\n                                   X\n                                                             X\n                                                                                       X\n                                                                                                                              X\n\n\n\n\n                                                                                                                                                                  Privacy Act Information\n\n                                                                                                                                                                  Remote Access Management\n                                                                                                                              X\n\n\n\n\n                                                                                                                                                                  Risk, Threat, and Vulnerability Assessment\n\n                                                                                                                                                                  Security Capital Planning\n\n\n\n\n                                   X\n                                                                                                                              X\n\n\n\n\n                                                                                                                                                                  Security Awareness, Training, Education\n\n                                                                                                                                                                  Security Policies and Procedures / Management\n\n\n\n\n         X\n                      X\n                                                X\n                                                             X\n                                                                          X\n                                                                                       X\n                                                                                                    X\n                                                                                                                 X\n                                                                                                                                           X\n\n\n\n\n                                   X\n                                                                                                                              X\n\n\n\n\n                                                                                                                                                                  Oversight\n\x0c                                                                                              Total\n                                                                                                                                                                                                                      FC2000\n\n\n\n\n                                                                                                                                                                                          FC4000\n\n\n\n\n                                                                                                      FB4000\n                                                                                                                    FB4000\n                                                                                                                                  FB4000\n                                                                                                                                                FB2000\n                                                                                                                                                              FB4000\n                                                                                                                                                                            FB4000\n                                                                                                                                                                                                        FB4000\n                                                                                                                                                                                                                                     Audit\n                                                                                                                                                                                                                                                 Agency\n\n\n\n\n                                                                                                                                                                                                                                     Agency\n                                                                                                                                                                                                                                    Air Force\n\n\n\n                                                                                                                                                                                                                      F2010-0005-\n\n\n\n\n                                                                                                      F2011-0006-\n                                                                                                                    F2011-0004-\n                                                                                                                                  F2011-0003-\n                                                                                                                                                F2011-0002-\n                                                                                                                                                              F2011-0002-\n                                                                                                                                                                            F2011-0001-\n                                                                                                                                                                                          F2010-0008-\n                                                                                                                                                                                                        F2010-0007-\n                                                                                                                                                                                                                                                Report No.\n\n\n\n\n                                                                                                                                                                X\n\n\n\n\n                                                                                                                                    X\n                                                                                                                                                  X\n                                                                                                                                                                                            X\n                                                                                                                                                                                                          X\n\n\n\n\n                                                                                              12\n                                                                                                                                                                                                                                                  Access Controls\n\n\n\n\n                                                                                              5\n                                                                                                                                                                              X\n                                                                                                                                                                                                                                                  Certification and Accreditation\n\n\n\n\n                                                                                              5\n                                                                                                                                                                              X\n                                                                                                                                                                                                                                                  Configuration Management\n\n\n\n\n                                                                                              1\n                                                                                                                                                  X\n                                                                                                                                                                                                                                                  Contingency Plans\n\n\n\n\n                                                                                              2\n                                                                                                                                                                                                                                                  Continuity of Operations Plans\n\n\n\n\n                                                                                              4\n                                                                                                                                                                X\n                                                                                                                                                                                                                                                  Continuous Monitoring Management\n\n\n\n\n                                                                                              0\n                                                                                                                                                                                                                                                  Contractor Systems\n\n\n\n\n                                                                                              1\n                                                                                                                      X\n                                                                                                                                                                                                                                                  Cyber Security\n\n\n\n\n       report may cover several IA weaknesses.\n                                                                                              7\n                                                                                                                                                                                            X\n                                                                                                                                                                                                                                                  Identity and Access Management\n\n\n\n\n                                                                                              2\n                                                                                                                                                                                                                        X\n\n\n\n\n16\n\t\n                                                                                                                                                                                                                                                  Information Systems Inventory Reporting\n\n\n\n\n                                                                                              2\n                                                                                                        X\n                                                                                                                                                                                                                                                  Incident Handling\n\n\n\n\n                                                                                              1\n                                                                                                                                                                                                                                                  Interoperability\n\n\n\n\n                                                                                              2\n                                                                                                        X\n                                                                                                                                                                                                                                                  Personnel Security\n\n\n\n\n                                                                                              3\n                                                                                                                                                                                                                                                  Physical Security\n\n\n\n\n                                                                                              9\n                                                                                                                                                                                                                                                  Plans of Actions and Milestones\n\n\n\n\n                                                                                                                                    X\n                                                                                                                                                                                            X\n\n\n\n\n                                                                                              10\n                                                                                                                                                                                                                                                  Privacy Act Information\n\n\n\n\n                                                                                              0\n                                                                                                                                                                                                                                                  Remote Access Management\n\n\n\n\n                                                                                              6\n                                                                                                                                    X\n\n\n\n\n       Note: Totals do not equal the number of reports and testimonies reviewed because one\n                                                                                                                                                                                                                                                  Risk, Threat, and Vulnerability Assessment\n\n\n\n\n                                                                                              2\n                                                                                                                                                                                                                                                  Security Capital Planning\n                                                                                                                                                                X\n                                                                                                                                                                                            X\n                                                                                                                                                                                                          X\n\n\n\n\n                                                                                                        X\n                                                                                                                                    X\n                                                                                                                                                  X\n                                                                                                                                                                              X\n\n\n\n\n                                                                                              13\n                                                                                                                                                                                                                                                  Security Awareness, Training, Education\n\n                                                                                                                                                                                                                                                  Security Policies and Procedures / Management\n                                                                                                                                                                                                                        X\n\n\n\n\n                                                                                                                      X\n                                                                                                                                                                X\n                                                                                                                                                                                            X\n                                                                                                                                                                                                          X\n\n\n\n\n                                                                                                        X\n                                                                                                                                    X\n                                                                                                                                                  X\n                                                                                                                                                                              X\n\n\n\n\n                                                                                              38\n                                                                                                                                                                                                                                                  Oversight\n\x0cAppendix D. Audit Reports Issued From\nAugust 1, 2010, Through July 31, 2011\nUnrestricted GAO reports can be accessed over the Internet at http://www.gao.gov.\nUnrestricted DoD IG reports can be accessed at http://www.dodig.mil/audit/reports.\nUnrestricted Army reports can be accessed from .mil and gao.gov domains over the\nInternet at https://www.aaa.army.mil/. Naval Audit Service reports are unavailable over\nthe Internet. Air Force Audit Agency reports can be accessed by certain government\nusers at https://afkm.wpafb.af.mil/ASPs/CoP/OpenCoP.asp?Filter=OO-AD-01-41.\n\nGAO\nGAO Report No. GAO-10-636, \xe2\x80\x9cGlobal Positioning System: Challenges in Sustaining\nand Upgrading Capabilities Persist,\xe2\x80\x9d September 2010\n\nGAO Report No. GAO-10-916, \xe2\x80\x9cInformation Security: Progress Made on Harmonizing\nPolicies and Guidance for National Security and Non-National Security Systems,\xe2\x80\x9d\nSeptember 2010\n\nGAO Report No. GAO-11-148, \xe2\x80\x9cHealth Information Technology: DoD Needs to Provide\nMore Information on Risks to Improve Its Program Management,\xe2\x80\x9d November 2010\n\nGAO Report No. GAO-11-265, \xe2\x80\x9cElectronic Health Records: DoD and VA Should\nRemove Barriers and Improve Efforts to Meet Their Common System Needs,\xe2\x80\x9d\nFebruary 2011\n\nGAO Report No. GAO-11-276, \xe2\x80\x9cDefense Biometrics: DoD Can Better Conform to\nStandards and Share Biometric Information with Federal Agencies,\xe2\x80\x9d March 2011\n\nGAO Report No. GAO-11-421, \xe2\x80\x9cDefense Department Cyber Efforts: More Detailed\nGuidance Needed to Ensure Military Services Develop Appropriate Cyberspace\nCapabilities,\xe2\x80\x9d May 2011\n\nGAO Report No. GAO-11-621, \xe2\x80\x9cIntelligence, Surveillance, and Reconnaissance: DoD\nNeeds a Strategic, Risk-Based Approach to Enhance Its Maritime Domain Awareness,\xe2\x80\x9d\nJune 2011\n\nGAO Report No. GAO-11-684, \xe2\x80\x9cDepartment of Defense: Further Actions Needed to\nInstitutionalize Key Business System Modernization Management Controls,\xe2\x80\x9d June 2011\n\nGAO Report No. GAO-11-75, \xe2\x80\x9cDefense Department Cyber Efforts: DoD Faces\nChallenges In Its Cyber Activities,\xe2\x80\x9d July 2011\n\nGAO Report No. GAO-11-565, \xe2\x80\x9cData Center Consolidation: Agencies Need to Complete\nInventories and Plans to Achieve Expected Savings,\xe2\x80\x9d July 2011\n\n\n                                          17\n\t\n\x0cGAO Report No. GAO-11-566R, \xe2\x80\x9cDefense Logistics: Oversight and a Coordinated\nStrategy Needed to Implement the Army Workload and Performance System,\xe2\x80\x9d\nJuly 14, 2011\n\nDoD IG\nDoD IG Report No. D-2010-074, \xe2\x80\x9cInformation Assurance Controls for the Defense\nCivilian Pay System for FY 2009,\xe2\x80\x9d August 2, 2010 (FOUO)\n\nDoD IG Report No. D-2011-020, \xe2\x80\x9cDoD Controls Over Information Placed on Publicly\nAccessible Web Sites Require Better Execution,\xe2\x80\x9d November 29, 2010\n\nDoD IG Report No. D-2011-064, \xe2\x80\x9cAudit of the Information Security Controls Over the\nMarine Corps Total Force System Need Improvement,\xe2\x80\x9d May 5, 2011 (FOUO)\n\nDoD IG Report No. D-2011-079, \xe2\x80\x9cDefense Information Systems Agency Controls Placed\nin Operation and Tests of Operating Effectiveness as of October 1, 2010, Through\nApril 30, 2011,\xe2\x80\x9d June 30, 2011 (FOUO)\n\nDoD IG Report No. D-2011-089, \xe2\x80\x9cReducing Vulnerabilities at the Defense Information\nSystems Agency Defense Enterprise Computing Centers,\xe2\x80\x9d July 22, 2011 (FOUO)\n\nArmy Audit Agency\nArmy Audit Agency Report No. A-2010-0162-FFI, \xe2\x80\x9cData at Rest, Fort Carson,\nColorado,\xe2\x80\x9d August 11, 2010\n\nArmy Audit Agency Report No. A-2010-0212-FFI, \xe2\x80\x9cData at Rest, Chief Information\nOfficer/G-6,\xe2\x80\x9d September 29, 2010\n\nArmy Audit Agency Report No. A-2011-0100-IET, \xe2\x80\x9cData at Rest, Fort Bragg, North\nCarolina,\xe2\x80\x9d April 29, 2011\n\nArmy Audit Agency Report No. A-2011-0147-IET, \xe2\x80\x9cInformation Assurance Certification\nfor Contractors,\xe2\x80\x9d June 23, 2011\n\nArmy Audit Agency Report No. A-2011-0143-IET, \xe2\x80\x9cApplication Migration, Office of the\nChief Information Officer/G-6,\xe2\x80\x9d July 6, 2011\n\nArmy Audit Agency Report No. A-2011-0150-IET, \xe2\x80\x9cThe Army\xe2\x80\x99s Use of Social Media,\nExternal Official Presence Sites,\xe2\x80\x9d July 26, 2011\n\nNaval Audit Service\nNaval Audit Service Report No. N2010-0046, \xe2\x80\x9cDefense Travel System,\xe2\x80\x9d August 3, 2010\n(FOUO)\n\n\n                                         18\n\t\n\x0cNaval Audit Service Report No. N2010-0052, \xe2\x80\x9cManaging Personally Identifiable\nInformation at Selected Commander, Navy Installations Command Activities,\xe2\x80\x9d\nSeptember 10, 2010 (FOUO)\n\nNaval Audit Service Report No. N2011-0001, \xe2\x80\x9cNavy Enterprise Resource Program -\nPurchase Card Capabilities,\xe2\x80\x9d October 1, 2010 (FOUO)\n\nNaval Audit Service Report No. N2011-0017, \xe2\x80\x9cNavy Reserve Southwest Region Annual\nTraining and Active Duty for Training Orders,\xe2\x80\x9d January 19, 2011 (FOUO)\n\nNaval Audit Service Report No. N2011-0020, \xe2\x80\x9cUnnecessary Collection of Personally\nIdentifiable Information in the Department of the Navy,\xe2\x80\x9d January 28, 2011 (FOUO)\n\nNaval Audit Service Report No. N2011-0025, \xe2\x80\x9cNavy/Marine Corps Intranet Internal\nControls Over Computers During Turn-In Process,\xe2\x80\x9d March 18, 2011 (FOUO)\n\nNaval Audit Service Report No. N2011-0028, \xe2\x80\x9cFollowup of Management of Privacy Act\nInformation at the Navy Recruiting Command,\xe2\x80\x9d March 31, 2011 (FOUO)\n\nNaval Audit Service Report No. N2011-0038, \xe2\x80\x9cControls Over Navy Marine Corps\nIntranet Contractors and Subcontractors Accessing Department of the Navy Information,\xe2\x80\x9d\nMay 26, 2011 (FOUO)\n\nNaval Audit Service Report No. N2011-0040, \xe2\x80\x9cManaging Personally Identifiable\nInformation at Marine Corps Base, Camp Lejeune,\xe2\x80\x9d June 1, 2011 (FOUO)\n\nNaval Audit Service Report No. N2011-0041, \xe2\x80\x9cFollowup on Management of Privacy Act\nInformation at Naval District Washington,\xe2\x80\x9d June 15, 2011 (FOUO)\n\nNaval Audit Service Report No. N2011-0046, \xe2\x80\x9cFollowup on Management of Personally\nIdentifiable Information at Marine Corps Recruiting Command,\xe2\x80\x9d July 29, 2011 (FOUO)\n\nAir Force Audit Agency\nAir Force Audit Agency Report No. F2010-0005-FC2000, \xe2\x80\x9cNuclear Certification of\nAircraft and Test Equipment Software,\xe2\x80\x9d August 23, 2010\n\nAir Force Audit Agency Report No. F2010-0007-FB4000, \xe2\x80\x9cAccess Controls For Air and\nSpace Operations Center Networks,\xe2\x80\x9d August 31, 2010\n\nAir Force Audit Agency Report No. F2010-0008-FC4000, \xe2\x80\x9cTemporary Duty Travel\nManagement,\xe2\x80\x9d September 13, 2010\n\nAir Force Audit Agency Report No. F2011-0001-FB4000, \xe2\x80\x9cVoice Over Internet Protocol\nImplementation,\xe2\x80\x9d December 20, 2010\n\n\n\n                                         19\n\t\n\x0cAir Force Audit Agency Report No. F2011-0002-FB4000, \xe2\x80\x9cInformation Assurance\nWorkforce Improvement Program,\xe2\x80\x9d January 26, 2011\n\nAir Force Audit Agency Report No. F2011-0002-FB2000, \xe2\x80\x9cEnterprise Environmental\nSafety and Occupational Health \xe2\x80\x93 Management Information System Application\nControls,\xe2\x80\x9d February 15, 2011\n\nAir Force Audit Agency Report No. F2011-0003-FB4000, \xe2\x80\x9cAccess Controls For\nElectronic Medical Records,\xe2\x80\x9d April 1, 2011\n\nAir Force Audit Agency Report No. F2011-0004-FB4000, \xe2\x80\x9cComputer Network Incident\nResponse and Reporting,\xe2\x80\x9d April 20, 2011\n\nAir Force Audit Agency Report No. F2011-0006-FB4000, \xe2\x80\x9cPrivacy Breach Reporting,\xe2\x80\x9d\nJuly 14, 2011\n\n\n\n\n                                       20\n\t\n\x0cAppendix E. Matrix of Reports that Identified\nKey Information Assurance Weaknesses\nReported From January 1, 1995, Through\nJuly 31, 2010\n\n\n                                      Security Policies and Procedures /\n\n\n\n\n                                                                                                                                    Certification and Accreditation\n                                                                                                  Risk, Threat, and Vulnerability\n\n\n\n\n                                                                                                                                                                      Security Awareness, Training,\n              Number of Reports and\n\n\n\n\n                                      Management Oversight\n              Testimonies Reviewed\n\n\n\n\n                                                                                                                                                                                                      Contingency Plans\n                                                                           Access Controls\n\n\n\n                                                                                                  Assessment\n\n\n\n\n                                                                                                                                                                      Education\n   Year\n 2010               47                          40                          28                                8                              8                                   7                      10\n 2009               48                          29                          14                                9                              3                                   4                         5\n 2008               21                          15                             9                              5                              4                                   4                         2\n 2007               36                          33                          15                                2                              7                                   8                         7\n 2006               28                          12                          19                                3                         12                                       8                         6\n 2005               46                          30                          21                             17                           16                                    17                        19\n 2004               40                          33                          19                             22                           18                                    12                        10\n 2003               57                          13                          19                             23                           19                                       5                      17\n 2002               57                          32                          16                             10                           22                                    12                        17\n 2001               59                          50                          21                             24                                0                                10                        11\n 2000               21                             0                        11                             10                                6                                   8                         8\n 1999               75                          89                          59                             18                           22                                    29                        10\n Total            535                       376                            251                          151                         137                                    124                        122\n    Note: The top six IA weaknesses over the previous 12 reporting cycles are\n    discussed in the table above. Totals do not equal the number of reports and\n    testimonies reviewed because one report may cover several IA weaknesses.\n\n\n\n\n                                                                                             21\n\x0cAppendix F. Audit Reports From Prior\nInformation Assurance Summary Reports\nWith Unresolved Recommendations\nIA weaknesses continue to exist throughout DoD. Of the 535 reports and testimonies\nincluded in 12 prior IA summary reports, 45 had unresolved recommendations;\nmanagement had not corrected agreed-upon IA weaknesses within 12 months of the\nreport issue date. The list of reports with unresolved recommendations was compiled\nbased on information GAO and the DoD audit community provided in July 2011 and may\nbe incomplete because of the extent of information maintained in their respective follow-\nup systems.\n\nUnrestricted GAO reports can be accessed over the Internet at http://www.gao.gov.\nUnrestricted DoD IG reports can be accessed at http://www.dodig.mil/audit/reports.\nUnrestricted Army reports can be accessed from .mil and gao.gov domains over the\nInternet at https://www.aaa.army.mil/. Naval Audit Service reports are unavailable over\nthe Internet. Air Force Audit Agency reports can be accessed by certain government\nusers at https://afkm.wpafb.af.mil/ASPs/CoP/OpenCoP.asp?Filter=OO-AD-01-41.\n\nGAO\nGAO Report No. GAO-07-528, \xe2\x80\x9cInformation Security: Selected Departments Need to\nAddress Challenges in Implementing Statutory Requirements,\xe2\x80\x9d August 2007\n\nGAO Report No. GAO-08-922, \xe2\x80\x9cDOD Business Systems Modernization: Planned\nInvestment in Navy Program to Create Cashless Shipboard Environment Needs to Be\nJustified and Better Managed,\xe2\x80\x9d September 2008\n\nGAO Report No. GAO-09-49, \xe2\x80\x9cDefense Management: DOD Can Establish More\nGuidance for Biometrics Collection and Explore Broader Data Sharing,\xe2\x80\x9d October 2008\n\nGAO Report No. GAO-09-268, \xe2\x80\x9cElectronic Health Records: DOD\xe2\x80\x99s and VA\xe2\x80\x99s Sharing of\nInformation Could Benefit from Improved Management,\xe2\x80\x9d January 2009\n\nGAO Report No. GAO-09-586, \xe2\x80\x9cDOD Business Systems Modernization: Recent\nSlowdown in Institutionalizing Key Management Controls Needs to Be Addressed,\xe2\x80\x9d\nMay 2009\n\nGAO Report No. GAO-09-566, \xe2\x80\x9cInformation Technology: Federal Agencies Need to\nStrengthen Investment Board Oversight of Poorly Planned and Performing Projects,\xe2\x80\x9d\nJune 2009\n\nGAO Report No. GAO-09-775, \xe2\x80\x9cElectronic Health Records: DOD and VA Efforts to\nAchieve Full Interoperability Are Ongoing; Program Office Management\nNeeds Improvement,\xe2\x80\x9d July 2009\n\n\n                                           22\n\t\n\x0cGAO Report No. GAO-09-546, \xe2\x80\x9cInformation Security: Agencies Continue to Report\nProgress, but Need to Mitigate Persistent Weaknesses,\xe2\x80\x9d July 2009\n\nGAO Report No. GAO-09-740R, \xe2\x80\x9cDefense Critical Infrastructure: Actions Needed to\nImprove the Consistency, Reliability, and Usefulness of DOD\xe2\x80\x99s Tier 1 Task Critical\nAsset List,\xe2\x80\x9d July 2009\n\nGAO Report No. GAO-09-617, \xe2\x80\x9cInformation Security: Concerted Effort Needed\nto Improve Federal Performance Measures,\xe2\x80\x9d September 2009\n\nGAO Report No. GAO-09-888, \xe2\x80\x9cInformation Technology: DOD Needs to Strengthen\nManagement of Its Statutorily Mandated Software and System Process Improvement\nEfforts,\xe2\x80\x9d September 2009\n\nGAO Report No. GAO-10-148, \xe2\x80\x9cCritical Infrastructure Protection: OMB Leadership\nNeeded to Strengthen Agency Planning Efforts to Protect Federal Cyber Assets,\xe2\x80\x9d\nOctober 2009\n\nGAO Report No. GAO-10-202, \xe2\x80\x9cInformation Security: Agencies Need to Implement\nFederal Desktop Core Configuration Requirements,\xe2\x80\x9d March 2010\n\nGAO Report No. GAO-10-663, \xe2\x80\x9cScope and Content of DOD\xe2\x80\x99s Congressional Report and\nExecutive Oversight of Investments Need to Improve,\xe2\x80\x9d May 2010\n\nDoD IG\nDoD IG Report No. D-2005-0054, \xe2\x80\x9cAudit of the DOD Information Technology Security\nCertification and Accreditation Process,\xe2\x80\x9d April 28, 2005 (FOUO)\n\nDoD IG Report No. D-2009-0097, \xe2\x80\x9cData Migration Strategy and Information Assurance\nfor the Business Enterprise Information Services,\xe2\x80\x9d July 30, 2009\n\nDoD IG Report No. D-2009-0086, \xe2\x80\x9cControls Over the Contractor Common Access Card\nLife Cycle in the Republic of Korea,\xe2\x80\x9d June 9, 2009\n\nDoD IG Report No. D-2010-0058, \xe2\x80\x9cSelected Controls for Information Assurance at the\nDefense Threat Reduction Agency,\xe2\x80\x9d May 14, 2010\n\nArmy Audit Agency\nArmy Audit Report No. A-2008-0186-FFI, \xe2\x80\x9cInstallation Campus Area Network\nConnectivity - Wireless Network and Devices,\xe2\x80\x9d July 8, 2008\n\nArmy Audit Report No. A-2009-0037-FFI, \xe2\x80\x9cInformation Technology Contingency\nPlans - Chief Information Officer/G-6,\xe2\x80\x9d January 26, 2009\n\n\n\n\n                                         23\n\t\n\x0cArmy Audit Report No. A-2010-0046-FFI, \xe2\x80\x9cArmy Networthiness Certification Program,\xe2\x80\x9d\nFebruary 2, 2010\n\nNaval Audit Service\nNaval Audit Service Report No. N-2007-0017, \xe2\x80\x9cOrdinance Information System,\xe2\x80\x9d\nFebruary 28, 2007 (FOUO)\n\nNaval Audit Service Report No. N-2008-0023, \xe2\x80\x9cInformation Security Within the Marine\nCorps,\xe2\x80\x9d February 20, 2008 (FOUO)\n\nNaval Audit Service Report No. N-2009-0027, \xe2\x80\x9cProcessing of Computers and Hard\nDrives During the Navy Marine Corps Intranet (NMCI) Computer Disposal Process,\xe2\x80\x9d\nApril 28, 2009 (FOUO)\n\nNaval Audit Service Report No. N2010-005, \xe2\x80\x9cInformation Security for Research,\nDevelopment, Test, and Evaluation and Education Legacy Networks,\xe2\x80\x9d January 7, 2010\n(FOUO)\n\nNaval Audit Service Report No. N2010-0040, \xe2\x80\x9cProtecting Personally Identifiable\nInformation at the Office of Civilian Human Resources and Human Resources Services\nCenters,\xe2\x80\x9d June 30, 2010 (FOUO)\n\nAir Force Audit Agency\nAir Force Audit Agency Report No. F2010-0009-FB2000, \xe2\x80\x9cImplementation of Chief\nFinancial Officer Compliance Tracking for Financial Systems,\xe2\x80\x9d July 28, 2010\n\nAir Force Audit Agency Report No. F2010-0005-FB4000, \xe2\x80\x9cPublicly Accessible Air\nForce Web Sites,\xe2\x80\x9d May 14, 2010\n\nAir Force Audit Agency Report No. F2010-0006-FB2000, \xe2\x80\x9cAir National Guard Reserve\nWriting System Controls,\xe2\x80\x9d April 30, 2010\n\nAir Force Audit Agency Report No. F2010-0003-FB4000, \xe2\x80\x9cContractor Circuit Security,\xe2\x80\x9d\nJanuary 13, 2010\n\nAir Force Audit Agency Report No. F2009-0010-FB2000, \xe2\x80\x9cFollow-Up Audit, Air Force\nEquipment Management Systems Controls,\xe2\x80\x9d August 14, 2009\n\nAir Force Audit Agency Report No. F2009-0007-FD4000, \xe2\x80\x9cPersonnel Security\nClearances,\xe2\x80\x9d May 8, 2009\n\nAir Force Audit Agency Report No. F2009-0003-FB4000, \xe2\x80\x9cFollow-Up Audit, Controls\nOver Access to Air Force Networks and Systems,\xe2\x80\x9d April 30, 2009\n\n\n\n\n                                        24\n\t\n\x0cAir Force Audit Agency Report No. F2009-0004-FB2000, \xe2\x80\x9cDefense Enterprise\nAccounting and Management System Controls,\xe2\x80\x9d February 20, 2009\n\nAir Force Audit Agency Report No. F2009-0002-FB4000, \xe2\x80\x9cPlan of Action and Milestone\nProgram Management,\xe2\x80\x9d November 5, 2008 (FOUO)\n\nAir Force Audit Agency Report No. F2009-0001-FB2000, \xe2\x80\x9cMechanization of Contract\nAdministration Service Controls,\xe2\x80\x9d October 3, 2008\n\nAir Force Audit Agency Report No. F2009-0001-FB4000, \xe2\x80\x9cCombat Information\nTransport System Technical Order Compliance Process,\xe2\x80\x9d October 3, 2008\n\nAir Force Audit Agency Report No. F2008-0007-FB4000, \xe2\x80\x9cFederal Information Security\nManagement Act Security Control Testing,\xe2\x80\x9d September 15, 2008 (FOUO)\n\nAir Force Audit Agency Report No. F2008-0006-FB4000, \xe2\x80\x9cMission Assurance Category\nYI Systems Certification and Accreditation,\xe2\x80\x9d August 22, 2008\n\nAir Force Audit Agency Report No. F2008-0005-FB2000, \xe2\x80\x9cComprehensive Cost and\nRequirements System Controls,\xe2\x80\x9d July 23, 2008\n\nAir Force Audit Agency Report No. F2007-0004-FB2000, \xe2\x80\x9cReliability, Availability,\n\t\nMaintainability Support System for Electronic Combat Pods System Controls,\xe2\x80\x9d\n\t\nMay 25, 2007\n\t\n\nAir Force Audit Agency Report No. F2007-0004-FB4000, \xe2\x80\x9cSecurity of Remote\nComputer Devices,\xe2\x80\x9d March 13, 2007 (FOUO)\n\nAir Force Audit Agency Report No. F2006-0009-FB2000, \xe2\x80\x9cContract Writing System\nControls,\xe2\x80\x9d August 3, 2006\n\nAir Force Audit Agency Report No. F2006-0008-FB2000, \xe2\x80\x9cSystem Controls for Item\nManager Wholesale Requisition Process System,\xe2\x80\x9d June 21, 2006\n\nAir Force Audit Agency Report No. F2006-0006-FB2000, \xe2\x80\x9cControls for the Wholesale\nand Retail Receiving and Shipping System,\xe2\x80\x9d May 19, 2006\n\n\n\n\n                                         25\n\t\n\x0cGlossary\nAccess Controls \xe2\x80\x93 Access controls limit information system resources to authorized\nusers, programs, processes, or other systems.\n\nAudit Trail \xe2\x80\x93 An audit trail is a chronological record of system activities that enables the\nreconstruction and examination of the sequence of events or changes in an event.\n\nIA Certification and Accreditation \xe2\x80\x93 Certification and accreditation is the standard\nDoD approach for identifying information security requirements, providing security\nsolutions, and managing the security of DoD information systems.\n\nConfiguration Management \xe2\x80\x93 Configuration management is the management of\nsecurity features and assurances through control of changes made to hardware, software,\nfirmware, documentation, test, test fixtures, and test documentation throughout the life\ncycle of an information system.\n\nContingency Plan \xe2\x80\x93 A contingency plan is maintained for emergency response, backup\noperations, and post-disaster recovery of an information system to ensure the availability\nof critical resources and to facilitate the continuity of operations in an emergency.\n\nContinuity of Operations Plan \xe2\x80\x93 A continuity of operations plan is a plan for continuing\nan organization\xe2\x80\x99s essential functions at an alternate site and performing those functions\nfor the duration of an event with little or no loss of continuity before returning to normal\noperations.\n\nContinuous Monitoring Management \xe2\x80\x93 The process implemented to maintain a current\nsecurity status for one or more information systems or for the entire suite of information\nsystems on which the operational mission of the enterprise depends. The process\nincludes: 1) The development of a strategy to regularly evaluate selected IA\ncontrols/metrics, 2) Recording and evaluating IA relevant events and the effectiveness of\nthe enterprise in dealing with those events, 3) Recording changes to IA controls, or\nchanges that affect IA risks, and 4) Publishing the current security status to enable\ninformation sharing decisions involving the enterprise.\n\nContractor Systems \xe2\x80\x93 Agency systems operated on its behalf by contractors or other\nentities, including Agency systems and services residing in the cloud external to the\nAgency.\n\nCyber Security \xe2\x80\x93 Prevention of damage to, protection of, and restoration of computers,\nelectronic communications systems, electronic communications services, wire\ncommunication, and electronic communications, including information contained therein,\nto ensure its availability, integrity, authentication, confidentially and non-repudiation.\n\n\n\n\n                                            26\n\t\n\x0cIdentity and Access Management \xe2\x80\x93 the processes, technologies and policies for\nmanaging digital identities and controlling how identities can be used to access resources.\n\nInformation Systems Inventory Reporting \xe2\x80\x93 The head of each agency must develop\nand maintain an inventory of major information systems, including major national\nsecurity systems, operated by or under the control of the agency. The inventory of\ninformation systems or networks should include those not operated by or under the\ncontrol of the agency.\n\nIncident Response \xe2\x80\x93 Also known as incident handling, incident response is the\nmitigation of violations of security policies and recommended practices.\n\nInteroperability \xe2\x80\x93 1. The ability to operate in synergy in the execution of assigned tasks.\n2. (DoD only) The condition achieved among communications-electronics systems or\nitems of communications-electronics equipment when information or services can be\nexchanged directly and satisfactorily between them or their users.\n\nPersonnel Security \xe2\x80\x93 The objective of the Personnel Security Program is to ensure that\nthe military, civilian, and contractor personnel assigned to and retained in sensitive\npositions in which they could potentially damage national security are, and remain,\nreliable and trustworthy, and that no reasonable basis exists for doubting their allegiance\nto the United States. Assignment to sensitive duties is granted only to individuals who\nare U.S. citizens and for whom an appropriate investigation has been completed.\n\nPhysical and Environmental Security \xe2\x80\x93 Physical security refers to measures taken to\nprotect systems, buildings, and related supporting infrastructure against threats associated\nwith their physical environment.\n\nPlan of Action and Milestones \xe2\x80\x93 A plan of action and milestones is a tool that identifies\ntasks that need to be accomplished. A plan of action and milestones details resources\nrequired to accomplish the elements of the plan, any milestones in meeting the task, and\nscheduled completion dates for the milestones. The purpose of a plan of action and\nmilestones is to assist agencies in identifying, assessing, prioritizing, and monitoring the\nprogress of corrective efforts for security weaknesses found in programs and systems.\n\nPolicies and Procedures \xe2\x80\x93 Policies and procedures are the aggregate of directives,\nregulations, rules, and practices that regulate how an organization manages, protects, and\ndistributes information. Information security policy can be contained in public laws,\nExecutive orders, DoD Directives, and local regulations.\n\nPrivacy Act Information \xe2\x80\x93 Privacy Act information is personal information about an\nindividual that links, relates, or is unique to or identifies or describes him or her, such as\nSSN; age; military rank; civilian grade; marital status; race; salary; home or office phone\nnumber; and other demographic, biometric, personal, medical, and financial information.\nThis information is also referred to as PII, or that which can be used to distinguish or\ntrace an individual\xe2\x80\x99s identity.\n\n                                              27\n\t\n\x0cRemote Access Management \xe2\x80\x93 Access to an organizational information system by a\nuser (or a process acting on behalf of a user) communicating through an external network\n(e.g., the Internet).\n\nRisk Assessment \xe2\x80\x93 Risk assessment is an analysis of threats to and vulnerabilities of\ninformation systems and the potential impact of the loss of an information system and its\ncapabilities. The analysis is used as a basis for identifying appropriate and cost-effective\nsecurity measures.\n\nSecurity Capital Planning \xe2\x80\x93 Synonym for capital programming and is a decision-\nmaking process for ensuring that IT investments integrate strategic planning, budgeting,\nprocurement, and the management of IT in support of agency missions and business\nneeds.\n\nSecurity Awareness, Training, and Education\n       \xe2\x80\xa2\t Awareness \xe2\x80\x93 Awareness is a learning process that sets the stage for training by\n          changing individual and organization attitudes to realize the importance of\n          security and the adverse consequences of its failure.\n       \xe2\x80\xa2\t Training \xe2\x80\x93 Training is teaching people the knowledge and skills that will\n          enable them to perform their jobs more effectively.\n       \xe2\x80\xa2\t Education \xe2\x80\x93 Education focuses on developing the ability and vision to perform\n          complex, multidisciplinary activities and the skills needed to further the\n          information technology security profession. Education activities include\n          research and development to keep pace with changing technologies.\n\nSegregation of Duties \xe2\x80\x93 Segregation of duties refers to dividing roles and responsibilities\nso that a single individual cannot subvert a critical process.\n\n\n\n\n                                             28\n\t\n\x0c\x0c'